Indicate for each control whether it is best classified as an input control (IC), processing control (PC) or an output control (OC). Note that risks to computer applications are mitigated through input controls (on inputs to the system), processing controls (that are set within the underlying application software) and output controls (that relate to the outputs from the system).

1. access, security and passwords control 2. all expected output received 3. an adequate transaction trail available so that data may be traced to the original or and through the system 4. anti-virus software 5. appropriate format 6. authorization 7. batch control (where appropriate)

8. call back for remote access 9. check digits 10. checkpointing – saving transactions at a certain point in time 11. compatibility checks – consistent field used 12. completeness checks, for example, all fields covered and all data accounted for 13. completeness, for example, batch numbers 14. completeness schedules of expected output 15. control totals 16. control totals 17. controlled stationery 18. data being quickly resubmitted wherever necessary 19. disciplinary action with instant removals of staff 20. disposal of documents and reports 21. double keying and verification 22. duplicate input checks 23. encryption 24. error messages 25. error reports 26. e-transfers authorization 27. exception checks – for example, overtime only given to certain grades of officers 28. exception reports 29. exceptions investigated by a responsible officer 30. file identification controls 31. firewalls and authentication routines 32. format checks – that ensure the item is either alpha or numeric 33. good security arrangements for reports in line with data protection rules 34. independent check on all output 35. limit checks 36. logical routines 37. manual procedures to ensure all reports reach their destination 38. mechanisms to ensure that the output is received in a timely fashion 39. missing data checks 40. overflow flags that indicate where excess digits have been used 41. page numbering 42. physical access restrictions 43. prioritization of output 44. range checks – so that a transaction must be between say £0 and £20,000 45. reconciliation of related fields 46. record count 47. recovery procedure 48. reference documents 49. reports only sent to authorized users 50. rules on automated document retention and storage 51. run-to-run controls – for example, total gross pay from the Gross Pay programme should be the input to the Net Pay programme 52. screen viewing restricted to authorized personnel 53. secure printers 54. security over valuable stationery 55. segregation of duties 56. sequence checks on consecutive numbering 57. sequential numbers 58. shredders for confidential waste 59. staff training and recruitment 60. suitable reports 61. supervisors review and authorization 62. systems failure controls 63. the appropriate media used 64. the whole validation programme 65. turnaround documents 66. user feedback to ensure that reports are no longer sent where they are not used 67. user procedures 68. validation – range, format, reasonableness 69. validation (display data after routine) – accuracy checks 70. validity checks – say checking that a correct code has been used 71. well-designed input documents 72. well-planned error and exception reports 73. working documents.